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Hackers hit more than 4000 websites around the world, injecting a crypto mining code into scripts being used on their sites. 
Photo / 123RF 

NZ Herald 

By: Chris Knox and Melissa Nightingale 


At least two council websites fell victim to cryptojackers last weekend without anybody 
realising, leaving visitors to the sites unwittingly helping hackers mine for cryptocurrency. 

The Porirua City Council and Whangarei District Council are among several thousand sites 
internationally that were caught up in what Netsafe has called a "benign" attack. 

Porirua City Council's chief information officer Steve McIntosh said the website itself was 
not compromised. But anyone visiting the site during the attack downloaded malicious 
code without realising it. 

On Sunday, 4275 websites, includingthe US Courts site and the UK's Information 
Commissioner's Office site were running a scriptthat had been altered to add a Coinhive 
crypto miner to any page it was loaded into. 


"People who visited that website overthe weekend, they would have seen their CPU, the 
brains of their computers, spike up to an enormous amount of activity suddenly," said 
Netsafe's director of technology Sean Lyons. 



Scott Helme @Scott_Helme 11 Feb 

Replying to @Scott_Helme 

Ok so this is via a 3rd party compromise, here is the script: 

browsealoud.com/plus/scripts/b... 


Scott Helme 

@Scott_Helme 


Hey @texthelp you've been compromised, you need to address 
this ASAP. Their site also has the crypto miner running: 

pic.twitter.com/flOU9ssZRr 
10:16 PM - Feb 11,2018 

GET NEWS UPDATES 

Get instant notifications as they happen 

NOT NOW ENABLE 

You can manage them anytime using browser settings 


http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1 &objectid=11993463 


2/7 



3/5/2018 


Porirua City Council and Whangarei District Council websites cryptojacked in international cyber attack - NZ Herald 


9 WwKy. A«c*n£*ty & X 

<- C x Seojf* httpK/AmMtlMMpXOm/cn-qb/ * © O : 

JF texthelp ^ 



105 43 people are talking about this 


"They were being used to mine cryptocurrency without their knowledge, without their 
host's knowledge." 

The practice is called "cryptojacking" and is when hackers use people's computers to 
"build small parts of cryptocurrency" such as Bitcoin. 

The hack was "at the benign end ofwhat could happen". 

"What people are doing is they're using your processing power, they're using your 
computer, albeit for a short space of time, as part of a giant hive of computers to help them 
generate money." 



Visitors to the Porirua City Council website on Sunday may have noticed their devices were running slower as 
they mined for cryptocurrency, similar to Bitcoin. Photo/123RF 


Affected people would discover thgiEit^E^s^PDATiiSg "massively slow" while they 
were on the site. Get instant notifications as they happen 

"Often people wouldn't notice. P^@pj|k!W#uld just S^PWonder why myfans have started 
running' or'I wonder m fe^rowsersettings 
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In theory if they stayed on the site long enough their CPU could overheat and cause 
physical damage to the computer, butthatwas unlikely, he said. 

After being contacted by the Herald, a council spokeswoman said on Tuesday that as far as 
they were aware, the website had not been cryptojacked. 

But screenshots show the site was still running the compromised script yesterday, a text- 
to-speech accessibility script called BrowseAloud byTextHelp.com. Security researcher 
Scott Helme posted on Twitter, saying it appeared the script was altered between about 
3am and 1.20pm on Sunday (GMT). 

The script was no longer on the council site this morning. 

Scott Helme 

A?- @Scott_Helme 

It seems like the @texthelp script file was modified between 
Sun, 11 Feb 2018 02:58:04 GMT and Sun, 11 Feb 2018 
13:21:56 GMT according to the 

@internetarchive:web.archive.org/web/2018021102...web.archiv 
e.org/web/2018021113... 

1:04 AM - Feb 12, 2018 

7 See Scott Helme's other Tweets 

"Our website was not compromised in any way," McIntosh said in a statement. 

"We were using the third party plugin BrowseAloud to enable people with sight 
impairments to 'read' our site. BrowseAloud converts website text to audio. Customers 
who used this plugin load it directly from the Browsealoud website notthe Porirua City 
Council website." 

The Whangarei District Council, which is still running the script, has been contacted for 
comment. 

Lyons said this type of hack was sometimes referred to as a "drive-by exploit", when visitors 
to the site went there for something else but ended up being harmed by something else in 
the process. 

"There are ways to stop these kinds of exploits but it does take time and it does take 
resource to do that, so sometimes we know when things do slip through ... you find 
yourself in situations where you p^^p^^/'S^p^^t^geople who use your website 
potentially in harm's way."Get instant notifications as they happen 

If websites had "holes" and vuln<N^TiNlGMthat allcE/MAfBLiEch things to happen, then "the 
world's your oyster as browser settings 
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Screenshots show the affected ba.js script still being used on the Porirua City Council website on Tuesday. 
Image/ Chris Knox 

"They could be at that point trying to put similar software on your computer that causes a 
chain reaction across the internet." 

Hackers could potentially dig forsensitive details including names, passwords, logins, 
emails, or, on the more serious end, driver's licence details, passport numbers, and bank 
details. 

Anyone using their banking details on the council website was not at risk from the 
vulnerability, though, as the parts of the site used for payments were hosted elsewhere. 

Lyons said people managing public websites should run firewalls and run systems on the 
servers, and these would stop 99 per cent of attacks. 

In a statement released on Sunday, the third party provider Texthelp confirmed their 
BrowseAloud script had been compromised in a cyber attack. 

"The attacker added malicious code to the file to use the browser CPU in an attempt to 
illegally generate cryptocurrency. ^T'lKffiWSrWD^'EES" said chief technology officer 
Martin McKay in the stater^ t nstant notifications as they happen 

"Texthelp is working with the Naft<9rfd't J @Wfrie Ageni^SfeErhe National Cyber Security 
Centre to pursue the in^^^ft^gM-anytime using browser settings 
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'Evil' policy robs pensioners of dignity, 
independence 
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Three pensioners say their human rights are being 
breached by pension deductions. 
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US billionaire threatens to halt NZ expansion 
plans if foreign ban passes 
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3 minutes to read 


Billionaire won't expand in NZ if law change is enacted. 
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Aussie Warner in ugly tunnel fracas 
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5 minutes to read 

Leaked video has emerged of a spiteful dressing room 
confrontation in Durban. 
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